Rule ID AC_K8S_0080 broken
lisenet opened this issue · comments
lisenet commented
- terrascan version: 1.18.3
- Operating System: Ubuntu 20.04 LTS
Description
Terrascan does not detect seccompProfile
. This is a bug in a policy definition.
What I Did
Create a Kubernetes deployment configuration file with seccompProfile
defined:
mkdir ./test
cat <<EOF > ./test/httpd-healthcheck.yml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpd-healthcheck
namespace: httpd-healthcheck
labels:
app: httpd-healthcheck
spec:
replicas: 1
selector:
matchLabels:
app: httpd-healthcheck
template:
metadata:
name: httpd-healthcheck
labels:
app: httpd-healthcheck
spec:
securityContext:
seccompProfile:
type: "RuntimeDefault"
containers:
- name: httpd-healthcheck
image: example/httpd-healthcheck:1.0.0
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
EOF
Run terrascan
command against it:
cd ./temp/
terrascan scan -v -i k8s --scan-rules="AC_K8S_0080" ./test/
This is the output:
Description : Default seccomp profile not enabled will make the container to make non-essential system calls
File : healthcheck-deployment.yml
Line : 2
Severity : MEDIUM
Rule Name : secCompProfile
Rule ID : AC_K8S_0080
Resource Name : httpd-healthcheck
Resource Type : kubernetes_deployment
Category : Identity and Access Management
The policy is configured to look for secCompProfile
when it should be seccompProfile
.
See here.